New VPNFilter malware targets at least 500K networking devices worldwide

May 23, 2018 - 25 Comments


For several months, Talos has been working with public- and private-sector threat intelligence partners and law enforcement in researching an advanced, likely state-sponsored or state-affiliated actor’s widespread use of a sophisticated modular malware system we call “VPNFilter.” We have not completed our research, but recent events have convinced us that the correct way forward is to now share our findings so that affected parties can take the appropriate action to defend themselves.  In particular, the code of this malware overlaps with versions of the BlackEnergy malware — which was responsible for multiple large-scale attacks that targeted devices in Ukraine. While this isn’t definitive by any means, we have also observed VPNFilter, a potentially destructive malware, actively infecting Ukrainian hosts at an alarming rate, utilizing a command and control (C2) infrastructure dedicated to that country. Weighing these factors together, we felt it was best to publish our findings so far prior to completing our research. Publishing early means that we don’t yet have all the answers — we may not even have all the questions — so this blog represents our findings as of today, and we will update our findings as we continue our investigation.

Both the scale and the capability of this operation are concerning. Working with our partners, we estimate the number of infected devices to be at least 500,000 in at least 54 countries. The known devices affected by VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices. No other vendors, including Cisco, have been observed as infected by VPNFilter, but our research continues. The behavior of this malware on networking equipment is particularly concerning, as components of the VPNFilter malware allows for theft of website credentials and monitoring of Modbus SCADA protocols. Lastly, the malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide.

The type of devices targeted by this actor are difficult to defend. They are frequently on the perimeter of the network, with no intrusion protection system (IPS) in place, and typically do not have an available host-based protection system such as an anti-virus (AV) package. We are unsure of the particular exploit used in any given case, but most devices targeted, particularly in older versions, have known public exploits or default credentials that make compromise relatively straightforward. All of this has contributed to the quiet growth of this threat since at least 2016.

This post provides the technical findings you would normally see in a Talos blog. In addition, we will detail some thoughts on the tradecraft behind this threat, using our findings and the background of our analysts, to discuss the possible thought process and decisions made by the actor. We will also discuss how to defend against this threat and how to handle a device that may be infected. Finally, we will share the IOCs that we have observed to this point, although we are confident there are more that we have not seen.

Read More here


In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. Thalos has been associated with threat intelligence and law enforcement research in advanced. VPN filter is the malware inspect. provides different types of malware detecting techniques.

  2. We use DD-WRT to overwrite firmware on older routers and run through secure DNS servers, such as Comodo. Already wiped newer router firmware and restored it–we keep current copies downloaded only from the manufacturers' sites.

    Never wait for instructions from CERT, FBI, or any other agency–once these things are discovered, its' already too late and these agencies are only there to warn people and research the effects. Act right away if you can and make sure you always have good backups–an external usb 3 drive can be a wonderful thing for home users in the case of a PC compromise. For routers, it's a different approach as you've read here and elsewhere (thank you to the author).

    Wiping the router and restoring firmware, then configuration from a saved .cfg file seems to be the most desirable option. It would be nice if the router manufacturers set up a website with simple "1-2-3" instructions to reset and reload their branded products.

  3. "…. default credentials…"
    Sounds like the primary access was through default creds. So if you were smart enough to change them, you're probably OK. If you didn't change them, that's on you.

  4. Are dumb switches vulnerable?

  5. My Cisco WRVS4400N router is on the vulnerability list. When will a firmware fix be available from Cisco?

  6. How can i stop im a victim

  7. Gee, it would be nice to know if:
    + My EA4500 is vulnerable
    + If there is a patch to prevent the vulnerablity

  8. FAKE NEWS!!!

  9. what a pile of pure crap

  10. "…at least 500,000 [infected devices] in 54 countries…" sounds like the tip of the iceberg, given the specific vendors mentioned. For the SOHO user, replacement of vulnerable equipment would appear to be quickest way to avoid this threat. It would be helpful to be able to consult listings of known vulnerable products, and, if possible, listings of products known to be adequately protected against it.

  11. It looks like someone sent a comment to Twiiter, FaceBook and Linked IN in my account, but if this is an actual device, I do not have it. I'll get my child to school and check it out.

    Comcast has a Business Account with my information but last night I spoke with the Security Assurance Dept and besides being super rude, I was again there is no Business Account-even though I can see it, and I found it on their Open Source Link.

  12. We are then in desperate need of legislation at the Federal Level then for the private citizen.

    The ISPs generally will only update the firmware of when it is provided by them for their own equipment and their own time. So if they do not patch the modem within a reasonable amount of time, their customers can be screwed by any level of potential malware that can get into a cable modem/router.

    When a customer purchases their own equipment (such as a cable modem) most ISPs will not update the firmware per the "terms of service"since it may be referred to as "Customer Equipment". And since equipment provider/vendor does not provide a way for a customer to update their own equipment nor the update the equipment via technical support, the customer again gets screwed.

    A level of advice to Cisco/Talos…..if you want to make a difference, don't just announce "oh look, we have another version of malware you can do nothing about". Get off your butts and demand legislation that gets these ISPs off their ass when a customer contacts them to update equipment whether its the ISP's or owned by the customer paying out the ass for their service.

    A frustrated home individual……

    • WHAT!, What on earth do you expect from legislation?
      Law makers are somehow going to ???… What, make it a legal requirement that someone patch your equipment for you?
      You say federal and I am going to assume you mean US Government? This is an international issue?

      #1) Take responsibility and ask your service providers to assist you if you can't help yourself! I certainly don't want my rates to climb become some people don't have the skills or resources to help themselves.

      #2) Thank you Talos! For bringing an awareness to "frustrated home individual"and the rest of us about our own responsibility to monitor and patch our equipment, especially the mentioned devices in your posts.

      Message to "A frustrated home individual " – Talos has not done a disservice to anyone. They did not say (if I may quote you) "oh look, we have another version of malware you can do nothing about". Not even close to that language. You might consider finding different service providers willing to hold your hand? Maybe buy routers that include support and frequent patching of their products, like say Cisco enterprise products?
      PS: Take responsibility! Choose providers that can service your needs.

      • To: Air.Wreck.MSP

        What you don't understand is that this is an inter-connected world. The problem for one becomes the problem for all. It is to the interest of ISPs and everyone's to take necessary actions to mitigate malware issues. Otherwise sooner or later it will bite us all!

      • Dear Air.Wreck.MSP,

        You overlook the fact that the majority of Comcast and Verizon subscribers lease their (Actiontec for Verizon, Cisco or Netgear for Comcast) routers from the company. In a ploy to make customers pay more, they have a policy of not patching their routers, save for the latest router(s) offered. Well over 85% of Verizon routers in use today are vulnerable to the KRACK exploit and Verizon stated flat out that they will not push out the patch, despite the fact that Actiontec has released a patch to them. This is the sorry state of affairs that the American marketplace is, no accountability for companies to play fast and loose the welfare of their customers, regardless of the impact it may have on their own network. That's why I always find it comical that Verizon heads a yearly security summit, but yet has the worst security in the industry.

      • This is getting off topic, but the equipment makers could do a much better job. Your mobile phone has a public key that it uses to verify updates signed with the corresponding private key from the phone manufacturer.

        There is no reason your router can not install updates to itself without owner interaction using the same code signing methods. Most home users will not notice a brief outage. Advanced users can turn auto-update off.

    • The firmware for DOCSIS 3.1 cable modems, whether provided by the cable ISP or customer (CPE) is updated by the cable ISP, e.g. NetGear CM1000.

      My cable modem was automatically updated to the latest and greatest firmware version by Comcast/Xfinity.

      It is unclear from the alert if vulnerable equipment includes standalone cable modems, DSL modems, or combination modem/routers.

      • And there's the problem: you are at the mercy of your ISP. *YOU* can do nothing about it. *YOU* have no clue if it contains another payload, backdoor, etc. Unless you're running something truly open source, the only thing open (for business by the Dark Web) is YOU!

    • Our legislation creators don't even know how the internet works and you want them to help us??

      I'm lost for words at the pure ignorance and borderline stupidity of your post.

    • I'm sorry but you really have no idea what's your asking. How many people do you know that actually register products with companies? How, in god's name, are companies able to locate hundreds of thousands of products that are unregistered? Involving the government adds a whole new layer on top of a layer that is already messed up. Do you expect the government to tell you when to get an oil change? How about tires? No. I believe it's your responsibility to maintain your vehicles and your computer gear. It is, after all, your gear…

    • Maybe you haven't been paying attention. Congress doesn't do much these days. Moreover, its your equipment and you are responsible for its upkeep.

      • BUT, TestGeek and Leo, as pointed out by the guy I replied to the first time, he has no control over his firmware as it is supplied and updated by the ISP. Likewise for any closed-source firmware: unless you're a large company with a dedicated IT department willing to fuzz the inputs, you really have no idea what you're running under the hood. After all, we all know for a fact that Cisco cooperates with the NSA and CIA willingly: it's only because it's the "Bad Guys" (who, as has been pointed out to me, were surprisingly lax and primitive for a State Actor-level APT) do we know as much as we do.

    • 1. The ISP does not write router firmware – the manufacturer of the router does.
      2. The ISP does not write modem firmware either – the only thing the ISP adds to the modem is the ratecode for whatever service you have.

      • If that were true, then your ISP's logo would not be on the login page or anywhere else in the webpages the router serves up. The fact is that the router manufacturer writes the bulk of the software, then turns it over to the ISP to "customize" utilizing hidden features they (Verizon) asked the manufacturer to make. Verizon has backdoors built in to it's router firmware so they can push out updates to the router and set top boxes, reboot the router, remotely troubleshoot and throttle speed. Therein lies the rub, while you can try to force a manufacturer's patch onto your router, since it's running modified firmware, you may very well break it.

    • This article is a heads up. Check to see if your equipment is on the list, if your router has know vulnerabilities, check to make sure you don't have default credentials, and if you are paranoid replace the equipment. The article said the growth of this malware since 2016. So if you are infected your infected. Take steps to correct it.